@jsha For some reason, when I put an invalid feature in the TLS Feature Extension attribute in the CSR, Boulder answers with Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert
.
I confirmed a Must-Staple TLS Feature Extension CSR can be signed on staging
with the following CSR generating command:
openssl req -new -sha256 -key ${PRIVKEY} -subj "/CN=${1}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${1}\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05")) -out ${CSR}
But when you change DER:30:03:02:01:05
(status_request
extension, i.e., OCSP stapling) to DER:30:03:02:01:04
(truncated_hmac
extension, not valid in Boulder ofcourse), Boulde generates the above error.
The only thing in the code as far as I can see, which should “catch” this, is:
Which only adds some stats on line 343, but doesn’t result in a clear error message.
Shouldn’t the error be something more along “You’ve requested an invalid TLS Feature Extension”?